METHOD AND SYSTEM FOR PROVIDING PROCESS-BASED ACCESS CONTROL FOR A COLLABORATION SERVICE IN ENTERPRISE BUSINESS SOFTWARE
The present invention relates to access control objects directly associated with collaboration process nodes, which are themselves associated with a collaborative software object. The direct association of the access control objects allows for a fine granularity of per-party access control at every step of a collaborative process. Systems and methods for constructing access lists from the access control objects are described, as well as restricted GUI rendering according to access indicators associated with an access control object.
Latest SAP AG Patents:
- Systems and methods for augmenting physical media from multiple locations
- Compressed representation of a transaction token
- Accessing information content in a database platform using metadata
- Slave side transaction ID buffering for efficient distributed transaction management
- Graph traversal operator and extensible framework inside a column store
This application is related to U.S. patent application Ser. No. 11/947,801, filed on Nov. 30, 2007, the entire contents of which are expressly incorporated herein by reference.
BACKGROUNDCollaborative software is software designed to help people involved in a common task to achieve their goals. The software may provide tools to facilitate inter-party communication, task partitioning, especially task specialization, and overall project organization. Collaborative management tools include project management systems that are used to schedule, track, and chart the steps in a project as it is being completed. Collaborative software allows for several distinct entities to specialize in particular areas, yet come together for a larger project involving those areas. Typically there will be a project owner and several sub-contractors. Current designs may allow different degrees of restricted access, but those permissions are typically entity based. Since the access requirements of different entities of the collaboration will fluctuate depending on the stage of the project and also on the various decisions made during the collaborative process, there exists a need for a process-based access control mechanism, which may be directly related to the collaboration process.
The commonly assigned incorporated reference describes a collaborative process that may be facilitated by a collaboration data structures being mapped to and associated with a hierarchical business object (e.g., a representation/description of the project being collaborated on). The collaborative process may require multiple parties to be involved. The level of involvement of each party may fluctuate during each point in the collaborative process, and may also be different based on the party or the task assigned to the party. Since it is common for a collaborative project to include at least some outside parties (e.g., sub-contractors), a collaborative process data structure may require an access control mechanism. This mechanism may restrict each party to the appropriate information for that party. Some access control mechanisms already exist, but are usually entity based, manually configured, and generally applicable based solely on the assigned entity. Example embodiments of the present invention may create an access control object to be directly associated with a node of the underlying business or collaborative data structure. In this way, the pre-existing organization and structure of the business object, and the pre-existing organization of the collaboration object may be leveraged to incorporate an access control mechanism that is uniquely specific to every aspect of the process, without requiring manual configuration for each party. The example systems and example methods described below illustrate an access control object directly associated to portions of the collaborative process object, and how this data may be utilized to construct access restricted renderings of a graphical user interface for a restricted party.
Software object 105 may include a business object to represent a business instrument. For example, the object may include data and functions to represent a purchase order, a work order, or a sales order. Software object 105 may be organized as a collection of software object nodes such as first software object node 110, second software object node 115, and third software object node 120 linked to each other hierarchically. Collaboration service object 135 may also be organized in a way similar to software object 105. Collaboration service object 135 may include collaboration service nodes such as first collaboration service node 140, second collaboration service node 145, and third collaboration service node 150, wherein each collaboration service node corresponds to a software object node in software object 105. First collaboration service node 140 may be a collaboration service node created for first software object node 110. Second collaboration service node 145 is a collaboration service node created for second software object node 115. First collaboration service node 140 and second collaboration service node 145 are hierarchically linked to each other via link 142 in a way similar to that of first software object node 110 and second software object node 115 which are connected via link 112 in software object 105. In an embodiment, first collaboration service node 140 and second collaboration service node 145 are linked hierarchically to allow execution of hierarchy based functions. Hierarchical function includes a function that is capable of influencing both a parent node and a related child node of the parent node when the function is executed on the parent node.
Collaboration processes may include any number of tasks, and therefore collaboration objects may include any number of corresponding functions and structures. Examples may include negotiation, requests for execution, requests for clarification, a tendering process, an approval process, open discussions, exception handling, or the integration of external collaboration. An example of a negotiation may include two or more parties negotiating a business case, proposing new business as well as collaboration content which can be accepted, rejected or revised by the other parties. This complex scenario covers a wide range of use cases and may involve a sophisticated status and revision management. This process may be modeled by a series of hierarchical objects. For example, a communication object may provide email, instant message, bulletin board, etc. functions, with exchanged messages as stored data. Objects associated with the negotiation process may maintain a status of the negotiation, and may provide bidding functions in various forms. As parties can be added and removed from the negotiation process at any time, as well as at any place in the hierarchy tree that is affected by the negotiation, it may have advanced requirements for the access control. For example, a broader set of parties may be included during negotiation, but be restricted from seeing data (e.g., bids) from other parties. Then, once the negotiation concludes, future data may be restricted to the winning bidder, with all others restricted out, e.g., unable to view that data from their specific user interface.
An example request for execution may pertain to a digital business document (e.g., as the software object 105), where a certain element is requested for execution. For example, the status may be flagged as being in execution and the business partner responsible for execution may be notified via one of the associated messaging functions. The new stage of the process “execution” may create a new object node in the software object, with a new collaboration node in the collaboration object. Further, according to an example embodiment of the present invention, a new access control object may be associated with the new collaboration node. The executing business partner might receive additional access rights to the digital document for the time of the execution, via the new access control object associated with the execution node. Thus, by attaching an access control object to this new node, access rights may be granted specific to the execution of this request. A request for clarification may operate in a similar manner.
An example of the tendering process may include the owner of the business object initiating the tendering process, which may create a new data object node to represent the tendering functions and data, such as which parties should receive the object. A certain object or object node can be tendered as peer-to-peer to a specific party or broadcasted to a set of parties through associated messaging functions. An offer may be accepted automatically based on certain criteria stored within the object or manually, i.e. using an approval process. This requires a relatively straight forward access control object (e.g., to those the tender is being made), but is still specific to the collaboration process node created by the initiated tendering process. The approval process may be used in scenarios where certain parts of the business object (e.g., a business document) require approval by a specific party or member of a party. The status of affected nodes may be set to ‘requires approval’ and the node might only be released once approval has been given.
Collaboration objects may also be used to model more unstructured collaboration. The open discussion process may attach a discussion forum to a business object node and may enable free form comments and replies. Further, exception handling may include a special requirement for business processes that involve collaboration processes with internal as well as external parties. Exceptions can occur when a business object or object node reaches an inconsistent state or when other object specific conditions are met. This class of processes encapsulates the exception handling and can feature notifications, automated actions and the triggering of other collaboration processes. Any number of other software object nodes and associated collaboration nodes are possible in the example data structures, such as
In addition to the internal data structures described in
It may be appreciated that other sections of the GUI could act in similar fashion. For example, section 220 (e.g., a purchase order for a new service) may be opened to a series of bidding parties initially, and subsequently closed to all of them except the winning bidder. This scenario illustrates the importance of a process based access control, instead of mere entity based access control. There may be sections, e.g., 230, that are only accessible by one level of the collaboration parties, e.g., the project owner. There may be sections, e.g., 240, specific to one lower level party, that is accessible by the project owner and that one party. Additionally, any number of other sections are possible. For example, one section may be based on a specific project phase, where multiple project contractors have access, and/or access adjusts as the phase progresses.
Example embodiments of the present invention may introduce the direct use of the collaboration objects and nodes (e.g., the collaboration process of
An example embodiment of an access control data structure, according to an example embodiment of the present invention, is illustrated in
Example scope indicator attributes are illustrated in
The partner node 340 may represent a party that has been granted access. Multiple parties can be represented by multiple instances of the partner node 340. The party may be identified by storing a unique Partner ID 350 data attribute. The partner node 340 also may contain the access mode 352 attribute which may define the access level to the set of nodes, as described by the derivation strategy scope indicators (e.g., 320 to 332). In contrast to the derivation strategy, the access mode may be set per party. Example values may include “01—read only,” “02—read and update,” “03—create, read and update,” and “04—create, read, update and delete.” Additionally, there may be an access admin. mode 354, which may control whether the granted party is able to change the access control object 300. Possible values for this attribute may include “00—no changes allowed,” “10—can grant read access to other parties,” “11—can grant lower level of access to other parties,” “12—can grant same level of access to other parties,” and “99—can grant and revoke any access.” The additional data 355 of partner node 340 may include the ID of the granting party, ID of the granting user, the time/date rights were granted, and any validity period for the partner rights.
Generally, one instance of the root node will exist for a given access control object with one or more partner nodes. This example embodiment affords process specific scope indicators for the software object nodes, with partner specific access control (e.g., shared node scope and per-party access rights). Alternative embodiments may have several instantiations of the root node, with several sets of scope indicators. Alternative embodiments may include several access control objects associated with a process node, each with a different root node (e.g., scope indicators) and a different set of partner nodes. These latter two embodiments may add some complexity, but provide a finer granularity of access control. However, in many embodiments of the incorporated reference, access control for a specific process to the associated node sets may remain constant for all users, with only access rights differing per partner.
It may be appreciated that in certain example embodiments, a given node of the software object is affected by multiple access objects. For example, node A of
Example embodiments of the present invention may include a system to execute an algorithm to extract the access control information from the collaboration processes and the attached access control objects. The business object node tree (e.g., software object 105) may be represented in list form. The compositional information may be available via the key and parent key fields. Additionally, nodes from embedded dependent objects may be merged into the list.
It should be understood that there exist implementations of other variations and modifications of the invention and its various aspects, as may be readily apparent to those of ordinary skill in the art, and that the invention is not limited by specific embodiments described herein. Features and embodiments described above may be combined. It is therefore contemplated to cover any and all modifications, variations, combinations or equivalents that fall within the scope of the basic underlying principals disclosed and claimed herein.
Claims
1. An Access Control Object data structure, comprising:
- a root node to interface with another object node and define access control for the other object node, the root node including: a key to uniquely identify the root node; a host key to store a unique ID of the other object node; a plurality of scope indicators, each being applicable to a pre-defined set of nodes belonging to a data structure associated with the other object node, wherein each scope indicator indicates a level of access to the pre-defined set of nodes; and
- a partner node to define data specific to a single user, including: a key to uniquely identify the partner node; a root key to store a unique ID of the root node; a partner ID to store the unique ID of the user; and an access mode to define a level of access for the user.
2. The data structure of claim 1, wherein the partner node further includes:
- an access administrator mode to define the level of access the user may grant other users.
3. The data structure of claim 1, further comprising:
- a plurality of partner nodes, each node associated with a different user.
4. The data structure of claim 1, wherein the plurality of scope indicators includes at least one of the following pre-defined sets of nodes: current node, parent node, all ancestor nodes, all descendant nodes, and all sibling nodes.
5. The data structure of claim 1, further comprising:
- a reference for associating the access control object with a referenced object node belonging to the data structure associated with the other object node, the reference including: a reference key to uniquely identify the reference; a reference parent key to store a unique ID of the root node; a target key to store a unique ID of the referenced object.
6. The data structure of claim 1, wherein the other object node belongs to a linked hierarchy data structure representing a collaboration project.
7. The data structure of claim 1, further comprising:
- an abstract function configured to inherit process-specific functionality from the other object node.
8. A method of constructing a per-party access control item, comprising:
- loading on an access control computer system an access control object associated with a collaboration node from a collaboration process object node mapped to a software object node;
- for each partner node associated with the access control object, constructing an access control item including the ID of accessible nodes and an access level indication; and
- rendering a user interface to include only data and functions accessible according to the access control item.
9. The method of claim 8, wherein the software object is a member of a linked hierarchy of nodes, and wherein access to any node by a particular user is determined by the per-party access control item.
10. A method of constructing an access control object, comprising:
- associating an access control object instance with a collaboration node from a collaboration process object mapped to a software object; and
- storing a scope indicator for each of several node sets.
11. The method of claim 10, further comprising:
- instantiating a partner node; and
- storing a node type, access mode indicator, and access administration mode indicator.
12. The method of claim 11, wherein the instantiating is performed for each partner having access to the collaboration node.
13. The method of claim 10, further comprising:
- instantiating functionality inherited from the collaboration process object for a generic function defined in the access control object.
14. A system for constructing an access control object, comprising:
- a processor configured to associate an access control object instance with a collaboration node mapped to a software object node, wherein the software object node is stored as part of a linked hierarchy of software object nodes;
- the processor configured to store in the access control object instance a scope indicator for each of several node sets, wherein each node set includes one or more nodes from the linked hierarchy of software object nodes.
15. The system of claim 14, wherein the access control object includes a partner node for each partner with defined access rights associated with the access control object scope indicators,
- wherein the processor is configured to receive a request for data from a node of the linked hierarchy of software object nodes that includes a partner ID, and
- wherein the processor is configured to provide the data based on access rights determined by a combination of the scope indicators and a partner access mode stored in the partner node.
16. The system of claim 15, wherein the processor is configured to construct a graphical user interface based on the linked hierarchy of software object nodes, and wherein the to provide the data includes limiting the graphical user interface to only data with associated granted access rights to a particular requesting user.
17. The system of claim 14, wherein the access control object includes a generic method definition, and wherein the process is configured to instantiate functionality inherited from the collaboration node in the generic method definition.
Type: Application
Filed: Nov 5, 2009
Publication Date: May 5, 2011
Patent Grant number: 8954471
Applicant: SAP AG (Walldorf)
Inventor: Ralf Gueldemeister (Los Altos, CA)
Application Number: 12/612,839
International Classification: G06F 17/30 (20060101); G06F 3/01 (20060101);